You can customize security to
some extent at the application server
level. You can disable administrative security
on an
application server.
Before you begin
Deprecated feature: Server level security has been deprecated in this
release
of
WebSphere® Application Server. Multiple
security domain support has been
added in its place. You can create different security configurations
and assign
them to different applications in
WebSphere Application Server processes.
By creating multiple security domains, you can configure different
security
attributes for both administrative and user applications within a
cell environment.
You can configure different applications to use different security
configurations
by assigning the servers or clusters or SIBuses that host these applications
to the security domains. Read about
Multiple security domains for more
detailed information.
depfeat
You can also
modify Java 2 Security and some of the other security
attributes
that are found on the Global security panel. This panel provides access
to
the cell-level security settings. You cannot configure a different
authentication
mechanism or user registry on an individual server basis. This feature
is
limited to cell-level configuration only.
By
default, server security inherits all of the values that are configured
for
cell-level security. To override the cell-level security configuration
at
the server level, click Servers > Application Servers > server_name.
Under Security, click Server Security and click any of the
following
links:
- CSIv2 inbound authentication
- CSIv2
outbound authentication
- CSIv2 inbound transport
- CSIv2
outbound transport
- SAS inbound transport
- SAS outbound transport
- z/SAS authentication
- Server-level security
Note: SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
Note: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
After
modifying the configuration in any of these panels and clicking
OK or
Apply,
the security configuration for that panel or set of panels now overrides
cell-level
security. Other panels that are not overridden continue to be inherited
at
the cell-level. However, you can always revert back to the cell-level
configuration
at any time. You can revert back to the cell-level security configuration
by clearing the check box next to any of the following options on
the Server
security panel:
- Security settings for this server override
cell settings
- RMI/IIOP security for this server overrides
cell settings
- SAS security for this server overrides cell
settings
A number
of additional Secure Authentication Services for z/OS
® (z/SAS)
attributes can be considered
for security at a server level, such as:
- Local
identity
- Remote identity
- Sync to thread allowed
For more information,
see Server and administrative security.
What to do next
Typically, server-level security is used to disable
user security
for a specific application server. However, this can also be used
to disable
or enable the Java 2 security manager, and to
configure the authentication
requirements for RMI/IIOP requests both incoming and outgoing from
this application
server.
After you modify the configuration for a particular application
server, you must restart the application server for the changes to
become
effective. To restart the application server, go to Servers >
Application
servers and click the server name that you recently modified.
Click Stop and
then Start.
If you disabled security for the application
server,
you can typically test a web address that is protected when security
is enabled.
One URL that usually is
installed when the DefaultApplication
during installation is the snoop application. If the DefaultApplication
is
installed on the application server, test that security is disabled
by going
to the following URL: http://host.domain:9080/snoop. If security
is disabled, a prompt does not display. This URL is just one method
of validating
the configuration. Validate that the configuration is appropriate
for your
applications.